[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Photuris questions



In message <199509161716.AA16427@interlock.ans.net>, "William Allen Simpson" wr
ites:
>
>Yes, a hashing algorithm _HAS_ to be supported.  Indeed, every
>implementation MUST support MD5!  It may be used for either/both
>K-Transform and I/R-Transform.
>
So far so good.

>However, the authentication policy is in the receiver.  Therefore, even
>though the Initiator MUST list MD5 in its attributes, and the Responder
>might choose MD5 for the K-Transform, there is no requirement that it
>choose _anything_ for authentication, unless it _wants_ authentication!
>
Understood. I don't know whether this might present a problem when the
Initiator supports the K-transform function of an algorithm (ie. MD5), but
not the I/R side of it; for example, i might want to use SHA as a K-transform,
but my AH code doesn't support it; i couldn't send the SHA attribute since the
remote might just support it as an I/R transform and try to use it as an
authentication method (assuming he wants to do authentication). In short,
it would be nice to be able to support subfunctions of an an attribute (i think
this only happens with hash algorithms ?).
-Angelos


References: